How to safely create users for Barman in PostgreSQL

Gabriele Bartolini
Gabriele Bartolini

This short article guides you through the creation of users required by Barman to work with PostgreSQL. It requires you to have already setup a Barman installation using our packages.

Barman needs to communicate with PostgreSQL in order to perform backup operations and coordinate activities. This is thoroughly described in the Barman documentation, specifically in the "Setup of a new server in Barman" section (please, make sure you have read the documentation before proceeding here).

In this article we will go through two steps:

  1. Setup of the primary connection between Barman and PostgreSQL (mandatory)
  2. Setup of the streaming replication connection between Barman and PostgreSQL (optional)

For security reasons, we will use different users, with different passwords (randomly generated). Most importantly, we will also use .pgpass to safely store passwords, so that you do not have to define them in the connection strings.

Requirements

Barman needs to be installed in a separate server (for simplicity called backup, with IP address 10.0.0.250) using RPM or Deb packages (as supported by 2ndQuadrant). Similarly, PostgreSQL is installed in another server (for simplicity called pg, with IP address 10.0.0.251), and listening on port 5432.

NOTE: please replace the above hostnames and IP addresses with the ones used in your environment throughout the document.

Setup of the primary connection

Barman needs a user with superuser privileges to be created in the PostgreSQL server in order to coordinate activities. This is mandatory. While you could simply use the postgres user, we recommend not to do it and use a separate user, specific for Barman. Let's proceed with it.

First select a strong and random password for the user. You can choose a tool like pwgen for example:

pwgen 20 1

In the backup server, as the barman user, create the ~barman/.pgpass file (if it does not exist) and add the following line:

pg:5432:postgres:barman:PASSWORD

NOTE: Make sure you substitute PASSWORD with the randomly generated one.

Make sure the file has the right permissions:

chmod 600 ~barman/.pgpass

In a separate terminal, connect to the PostgreSQL server via SSH and, as postgres create the barman user as follows:

createuser -s -P barman

When prompted, enter the random password that you have generated previously.

Make sure that pg_hba.conf in the PostgreSQL server allows access as barman user to the postgres database and only from the Barman server (10.0.0.250):

hostssl postgres barman 10.0.0.250/32 md5

IMPORTANT: We recommend that PostgreSQL is configured to accept encrypted connections. If it isn't you need to change hostssl into host. Also, make sure you use the right IP address for your environment.

As the postgres user reload the PostgreSQL server configuration:

psql -c 'SELECT pg_reload_conf()'

You can now verify that the barman user can connect to PostgreSQL from the backup server, as follows:

psql -c 'SELECT version()' -U barman -h pg postgres

You should receive an output similar to this:

version
PostgreSQL 9.6.10 on x86_64-pc-linux-gnu (Ubuntu 9.6.10-1.pgdg18.04+1), compiled by gcc (Ubuntu 7.3.0-16ubuntu3) 7.3.0, 64-bit
(1 row)

Setup of the streaming replication connection

In case you plan to take advantage of streaming replication for the backups with pg_basebackup and/or WAL streaming with pg_receivewal/pg_receivexlog to reach best recovery point objectives (RPO), you need to create a user with replication privileges. As per the documentation, we will call it streaming_barman.

Similarly to the step above, generate another password with pwgen. In the the backup server, as the barman user, add the following line to the ~barman/.pgpass file:

pg:5432:*:streaming_barman:PASSWORD

NOTE: Make sure you substitute PASSWORD with the randomly generated one.

In a separate terminal, connect to the PostgreSQL server via SSH and, as postgres create the streaming_barman user as follows:

createuser -P --replication streaming_barman

Enter the randomly generated password when prompted.

Make sure that pg_hba.conf in the PostgreSQL server allows access via streaming replication as the streaming_barman user only from the Barman server (10.0.0.250):

hostssl replication streaming_barman 10.0.0.250/32 md5

IMPORTANT: We recommend that PostgreSQL is configured to accept encrypted connections. If it isn't you need to change hostssl into host. Also, make sure you use the right IP address for your environment.

As the postgres user reload the PostgreSQL server configuration to make changes effective:

psql -c 'SELECT pg_reload_conf()'

You can now verify that the streaming_barman user can connect to PostgreSQL via streaming replication from the backup server, as follows:

psql -U streaming_barman -h pg \
-c "IDENTIFY_SYSTEM" \
replication=1

You should receive an output similar to this:

systemid | timeline | xlogpos | dbname
6478545250863176024 | 19 | 188/CB114380 |
(1 row)

Conclusions

The above best practices will allow you to setup a more robust and safe backup environment for your PostgreSQL servers using Barman. Make sure that:

  • you rely on the .pgpass file for storing passwords, rather than adding them to the configuration options;
  • properly set client access in pg_hba.conf, preferably with in transit encryption.

Was this article helpful?

0 out of 0 found this helpful